Honesty

What is mock . what is relay

Atrium ships on Arbitrum Sepolia testnet in Year 1. Three of the venues we integrate (Aave V3, Pyth equity feeds, Hyperliquid) do not exist on Sepolia in a form we can use directly. We built mocks or relays so the user flow works end to end on testnet. We say so out loud below, with the exact mechanism and the timeline to "real". No claim on the landing, in the brand kit, or in the demo pretends these are the real upstream services.

Every other integration on this page is real testnet code (Chainlink CCIP, Chainlink Data Streams, Curve, Trade.xyz, Polymarket, USDC, x402, WebAuthn, EIP-712 mandates).

Aave Horizon adapter

Venue mock

What's actually happening

When you "deposit into Aave" on testnet, your USDC actually goes into MockAavePool, an Atrium-deployed contract that follows the exact Aave V3 interface. It mints aUSDC 1:1 and pretends to earn 5 bps yield per call.

Why

Aave V3 is not deployed on Arbitrum Sepolia in a usable form. We built the mock so the demo flow (deposit, accrue interest, withdraw) walks end to end on testnet.

When it becomes real

Mainnet flip (Year 2). Real Aave V3 lives on Arbitrum mainnet.

Tripwire on file

tripwires/2026-05-25-mock-aave-pool.md

Pyth equity price feeds (rTSLA, rAAPL, etc.)

Multisig relay

What's actually happening

Equity prices on Pyth are only published to mainnet. On Sepolia, our Praetor multisig reads the mainnet feed, signs the price, and posts it to the Plinth oracle slot. Called a "Praetor-signed relay".

Why

Pyth does not publish equity feeds on Sepolia as of 2026-05-25.

When it becomes real

When Pyth ships native Sepolia equity feeds, OR mainnet (Year 2). We monitor Pyth release notes for the equity-Sepolia announcement.

Hyperliquid HIP-3 + HIP-4 perps

Venue mock

What's actually happening

Hyperliquid is not on Arbitrum Sepolia at all. Our HyperliquidHybridAdapter uses validator-signed attestations: a validator signs each action, the adapter checks the signature, and the action is recorded on-chain. Currently 1-of-1 (deployer EOA is the only validator); expands to 3-of-5 after the Safe migration.

Why

Hyperliquid is a separate L1; no Sepolia bridge exists. The validator pattern is how Hyperliquid itself ships their cross-chain integrations (HIP-3 attestation model).

When it becomes real

Mainnet (Year 2) for native Hyperliquid integration. The 1-of-1 validator set expands to 3-of-5 when the Safe ceremony completes.

Tripwire on file

tripwires/2026-05-25-validator-1-of-1.md

Robinhood Chain adapter

Third-party blocker

What's actually happening

Not built yet. Adapter scaffold exists; the implementation waits on Robinhood publishing their public SDK.

Why

Robinhood Chain SDK is private as of 2026-05-25.

When it becomes real

Within 14 days of Robinhood publishing the SDK. Tracked in `human_left.md` as a third-party blocker.

Liquidation execution (Vigil keeper)

Interim state

What's actually happening

The Vigil contract scaffolds liquidation queuing + execution, and the keeper service monitors paused accounts on a 5-minute GitHub Actions cron. Real `executeLiquidation` calls are gated behind the keeper EOA being staked for 1000 ETH (hardcoded testnet floor).

Why

Sepolia faucet caps at ~0.1 ETH, so no testnet keeper can clear 1000 ETH. Service ships in monitoring-only mode until founder runs the unblock sequence: redeploy Vigil + Plinth via Stylus + multisig call `set_keeper_min_stake_emergency(0.01 ether)` + stake a fresh keeper EOA.

When it becomes real

Once the founder redeploy lands (Phase eta.2 ops; see `tripwires/2026-05-25-phase-eta-complete.md`). Code path activates automatically.

Admin control (praetor_multisig)

Interim state

What's actually happening

Every Atrium contract currently has `praetor_multisig = <deployer EOA>`. Anything dangerous (upgrade, parameter change, pause) requires that one key to sign.

Why

The deployer key bootstraps the system. The 3-of-5 Gnosis Safe ceremony is queued (see `scripts/safe-ceremony.md`) but requires 5 hardware wallets + a coordinated session.

When it becomes real

After the Safe ceremony lands. Script `scripts/transfer-admin.s.sol` hands admin from the deployer EOA to a 3-of-5 Safe in one Foundry run.

Cohort partner logos

Interim state

What's actually happening

No partner logos render on the cohort strip. The landing has an honest empty state: "No partners signed yet. cohort opens Month 2."

Why

Per `docs/conventions/writing.md`: partner names ship only with a signed source on file. None of the candidate partners (Pendle, Aave, Hyperliquid, IOSG, Variational, Horizen, Chainlink Labs, Pyth) have signed yet.

When it becomes real

As each signs, we drop a `data/cohort/<partner>.json` file + logo SVG; the landing reads it and renders. No pre-announcement.

Headline numbers on landing + mobile landing

Interim state

What's actually happening

The fake-data components (Numbers.tsx, MobileLanding.tsx, Features.tsx PortfolioMock) with hardcoded $4.13M / $12.37M / setInterval increments were deleted in the 2026-05-28 honesty pass. The live-stats strip (NumbersSection) now renders "n/a" for any value not sourced from a live API. One surface is explicitly illustrative rather than "n/a": the "capital convergence" diagram (Impluvium) shows sample per-venue collateral figures, but it is labelled "illustrative schematic" so it is never read as live measurement.

Why

Per `docs/conventions/ui.md`: never show a placeholder number that looks real. The Lovable-port components with hardcoded $4.13M / $12.37M / setInterval increments are gone.

When it becomes real

Live as soon as Scribe + Plinth + Coffer return non-zero data after the timelock fires.

Reference agents (Augur, Haruspex, Auspex)

Interim state

What's actually happening

The three reference agents live as Vercel cron services and tick on schedule (Augur 5-min, Haruspex 1-hour, Auspex daily). Each tick reads its mandates from Codex + Scribe and records observation notes. Production behaviour would build an ActionSigil from the observation, sign it with the agent's session key, and submit via AtriumRouter.openPositionViaAdapter. The current scaffold logs `would-act-on: <intentHash>` instead so the agents are demonstrably alive without spending mandate budget or risking user collateral.

Why

Each agent that actually acts needs (1) a dedicated session-key EOA provisioned in Vercel env, (2) a signed IntentSigil mandate from a real user funded with USDC + collateral, (3) clear risk boundaries on what each strategy can do. Without (1)-(3) the agents would either no-op (no real mandate) or burn whatever testnet USDC the founder funds. Either path is worse than the honest stub.

When it becomes real

When the cohort partner program lands (Month 2): partner provisions a mandate with explicit risk caps, agent session key is registered against it, the agent's tick handler swaps `would-act-on` for the real ActionSigil-build-and-submit path. Per-agent diff is ~30 LOC; the scaffold is mechanical.

Synthetix V3 + Morpho Blue adapters

Interim state

What's actually happening

Both adapters are listed on /app/markets for design completeness, but `open_position` reverts with `ScaffoldNotImplemented`. The /app/trade venue list never offered them; the markets tile renders a "scaffold · open blocked" pill explicitly.

Why

Year-1 scope shipped the 7 production venues (Hyperliquid, Aave Horizon, Pendle, Curve, Trade.xyz, Polymarket, GMX). Synthetix V3 + Morpho Blue scaffolds existed as forward-compatible contracts; before the Phase theta-followup lockdown, an open call would have pulled USDC via Coffer.adapterPull but never deployed into the upstream protocol, a funds-strand risk.

When it becomes real

Year 2. Real Synthetix V3 `commitOrder` + sUSD-vs-USDC bridging, and real Morpho `supplyCollateral` + `borrow` + LLTV math. The contract scaffolds + tests are in place to make those follow-ups mechanical.